Upload
hamed-moghaddam
View
273
Download
5
Embed Size (px)
Citation preview
CISCO CCNANAT CONFIGURATION
TO WATCH OUR CISCO CCNA VIDEO TRAININGS PLEASE CHECK OUT THE LINK BELOW:WWW.ASMED.COM/C1ASM EDUCATIONAL CENTER INC. (ASM)
WHERE TRAINING, TECHNOLOGY & SERVICE CONVERGE
PHONE: (301) 984-7400ROCKVILLE,MD
CISCO CCNA NAT CONFIGURATION
CISCO CCNA NAT CONFIGURATION
NAT = NETWORK ADDRESS TRANSLATIONREMEMBER THE PRIVATE IP ADDRESS10.0.0.0 — 10.255.255.255172.16.0.0 —-172.31.255.255192.168.0.0.—– 192.168.255.255 THE GOAL IS TO CONVERT YOUR PRIVATE IP ADDRESS TO PUBLIC ADDRESS SO THAT YOUR INTERNAL PEOPLE CAN ACCESS THE INTERNET
CISCO CCNA NAT CONFIGURATIONI HAVE 2 KIND:1) DYNAMIC NAT – USE IT WHEN YOU NEED YOUR PRIVATE NETWORK GO OUT TO INTERNET – IT HAS TWO KIND SUPPOSE I HAVE 6 PRIVATE AND THEN ISP GIVE YOU 6 PUBLIC THEN ALL SIX PEOPLE GO TO INTERNETSUPPOSE I HAVE 62 PRIVATE AND ISP ONLY GIVE YOU 6 PUBLIC IN THIS CASE ; YOU MUST USE THE KEY WORD “OVERLOAD” ; THIS CONCEPT IS CALL PAT (PORT ADDRESS TRANSLATION) 2) STATIC NAT – USE IT WHEN YOU NEED THE INTERNET PEOPLE COME TO YOUR WEBSERVER; THAT IS LOCATED IN PRIVATE LAN =10.10.10.1; IN THIS CASE YOU NEED TO USE STATIC NAT
CISCO CCNA NAT CONFIGURATION
HERE IS MY LAB ON NAT/PAT:GIVEN BY ISP 6 PUBLIC ADDRESS 198.18.151.97.98, .99,100,101,102 WITH SUBNET MASK /29 /29=255.255.255.248.11111000AND I HAVE 62 INTERNAL IP ADDRESS THAT NEED TO GO TO INTERNET192.168.91.65—192.168.91.126 WITH MASK /26 255.255.255.192.11000000
CISCO CCNA NAT CONFIGURATION
STEP 1) DEFINE THE POOL OF INSIDE GLOBAL ADDRESS (PUBLIC ADDRESS)THAT INSIDE LOCAL ADDRESS WILL BE TRANSLATED TO:HINT: ALWAYS ALWAYS START WITH IP NAT?R1#R1#CONFIG TENTER CONFIGURATION COMMANDS, ONE PER LINE. END WITH CNTL/Z.R1(CONFIG)#IP NAT ?INSIDE INSIDE ADDRESS TRANSLATIONOUTSIDE OUTSIDE ADDRESS TRANSLATIONPOOL DEFINE POOL OF ADDRESSESR1(CONFIG)#IP NAT POOR1(CONFIG)#IP NAT POOL ?WORD POOL NAMER1(CONFIG)#IP NAT POOL CCNA ?
CISCO CCNA NAT CONFIGURATION
A.B.C.D START IP ADDRESSR1(CONFIG)#IP NAT POOL CCNA 198.18.151.97 ?A.B.C.D END IP ADDRESSR1(CONFIG)#IP NAT POOL CCNA 198.18.151.97 198.18.151.102 ?NETMASK SPECIFY THE NETWORK MASKR1(CONFIG)#IP NAT POOL CCNA 198.18.151.97 198.18.151.102 NETR1(CONFIG)#IP NAT POOL CCNA 198.18.151.97 198.18.151.102 NETMASK ?A.B.C.D NETWORK MASKR1(CONFIG)#IP NAT POOL CCNA 198.18.151.97 198.18.151.102 NETMASK 255.255.255.248 ?<CR>R1(CONFIG)#IP NAT POOL CCNA 198.18.151.97 198.18.151.102 NETMASK 255.255.255.248R1(CONFIG)#
CISCO CCNA NAT CONFIGURATIONHERE IS MY SHOW RUN:IP NAT POOL CCNA 198.18.151.97 198.18.151.102 NETMASK 255.255.255.248 HINT: ANY TIME YOU SEE THE WORD POOL IT WILL TELL YOU; THAT IS PUBLIC IP ADDRESSSTEP 2) DEFINE THE SOURCE OF THE INSIDE LOCAL ADDRESS AND BIND IT TO CCNA DEFINED IN PART 1HINT: IP NAT?R1#R1#R1#CONFIG TENTER CONFIGURATION COMMANDS, ONE PER LINE. END WITH CNTL/Z.R1(CONFIG)#IP NAT ?INSIDE INSIDE ADDRESS TRANSLATIONOUTSIDE OUTSIDE ADDRESS TRANSLATIONPOOL DEFINE POOL OF ADDRESSESR1(CONFIG)#IP NAT% INCOMPLETE COMMAND.R1(CONFIG)#IP NAT INSR1(CONFIG)#IP NAT INSIDE ? SOURCE SOURCE ADDRESS TRANSLATION
CISCO CCNA NAT CONFIGURATIONR1(CONFIG)#IP NAT INSIDE SOUR1(CONFIG)#IP NAT INSIDE SOURCE ?LIST SPECIFY ACCESS LIST DESCRIBING LOCAL ADDRESSESSTATIC SPECIFY STATIC LOCAL->GLOBAL MAPPINGR1(CONFIG)#IP NAT INSIDE SOURCE LIST ?<1-199> ACCESS LIST NUMBER FOR LOCAL ADDRESSESWORD ACCESS LIST NAME FOR LOCAL ADDRESSESR1(CONFIG)#IP NAT INSIDE SOURCE LIST 1 ?INTERFACE SPECIFY INTERFACE FOR GLOBAL ADDRESSPOOL NAME POOL OF GLOBAL ADDRESSESR1(CONFIG)#IP NAT INSIDE SOURCE LIST 1 POOR1(CONFIG)#IP NAT INSIDE SOURCE LIST 1 POOL ?WORD NAME POOL OF GLOBAL ADDRESSESR1(CONFIG)#IP NAT INSIDE SOURCE LIST 1 POOL CCNA ?OVERLOAD OVERLOAD AN ADDRESS TRANSLATION<CR>R1(CONFIG)#IP NAT INSIDE SOURCE LIST 1 POOL CCNA OVER1(CONFIG)#IP NAT INSIDE SOURCE LIST 1 POOL CCNA OVERLOAD ?<CR>R1(CONFIG)#IP NAT INSIDE SOURCE LIST 1 POOL CCNA OVERLOAD
CISCO CCNA NAT CONFIGURATIONHINT: IF ISP HAS GIVEN YOU A SINGLE IP ADDRESS AFTER LIST 1 ? I WILL USE INTERFACE S0/0
HINT: WHEN YOU SEE THE WORD LIST THAT SHOULD TELL YOU ; I NEED TO HAVE ACL 1 THAT WILL DEFINE MY LOCAL ADDRESS
STEP 3) NOW DEFINE YOU ACL 1
HINT: I HAVE /26
255.255.255.255-255.255.255.192————–0.0.0.63 AS WILD CARDSR1(CONFIG )# ACCESS-LIST 1 PERMIT 192.168.91.64 0.0.0.63 SUBNET ID WILD CARDS
CISCO CCNA NAT CONFIGURATIONR1(CONFIG)#R1(CONFIG)#ACCR1(CONFIG)#ACCESS-LIST ?<1-99> IP STANDARD ACCESS LIST<100-199> IP EXTENDED ACCESS LISTR1(CONFIG)#ACCESS-LIST 1 ?DENY SPECIFY PACKETS TO REJECTPERMIT SPECIFY PACKETS TO FORWARDREMARK ACCESS LIST ENTRY COMMENTR1(CONFIG)#ACCESS-LIST 1 PERMIR1(CONFIG)#ACCESS-LIST 1 PERMIT ?A.B.C.D ADDRESS TO MATCHANY ANY SOURCE HOSTHOST A SINGLE HOST ADDRESSR1(CONFIG)#ACCESS-LIST 1 PERMIT 192.168.91.69 0.0.0.63
CISCO CCNA NAT CONFIGURATIONHERE I INTENTIONALLY PUT WRONG SUBNET ID; BUT IOS WILL FIX IT FOR ME:HERE IS MY SHOW RUN: IP NAT POOL CCNA 198.18.151.97 198.18.151.102 NETMASK 255.255.255.248IP NAT INSIDE SOURCE LIST 1 POOL CCNA OVERLOADIP CLASSLESS!!ACCESS-LIST 1 PERMIT 192.168.91.64 0.0.0.63 STEP 4) TELL ROUTER WHICH SIDE IS INSIDE AND WHICH SIDE IS OUTSIDE AND MAKE SURE BE UNDER INTERFACE AND GIVE: INT F0/0IP NAT INSIDE INT S0/0IP NAT OUTSIDE
CISCO CCNA NAT CONFIGURATIONR1#CONFIG TENTER CONFIGURATION COMMANDS, ONE PER LINE. END WITH CNTL/Z.R1(CONFIG)#INT F0/0R1(CONFIG-IF)#IP NATR1(CONFIG-IF)#IP NAT ?INSIDE INSIDE INTERFACE FOR ADDRESS TRANSLATIONOUTSIDE OUTSIDE INTERFACE FOR ADDRESS TRANSLATIONR1(CONFIG-IF)#IP NAT INSR1(CONFIG-IF)#IP NAT INSIDER1(CONFIG-IF)#R1(CONFIG-IF)#R1(CONFIG-IF)#INT S0/0R1(CONFIG-IF)#IP NAT ?INSIDE INSIDE INTERFACE FOR ADDRESS TRANSLATIONOUTSIDE OUTSIDE INTERFACE FOR ADDRESS TRANSLATIONR1(CONFIG-IF)#IP NAT OUTR1(CONFIG-IF)#IP NAT OUTSIDE
CISCO CCNA NAT CONFIGURATIONNOW LET’S LOOK AT SHOW RUN:INTERFACE FASTETHERNET0/0IP ADDRESS 192.168.91.126 255.255.255.192IP NAT INSIDEDUPLEX AUTOSPEED AUTO!!INTERFACE SERIAL0/0IP ADDRESS 192.0.1.109 255.255.255.252IP NAT OUTSIDECLOCK RATE 64000IP NAT POOL CCNA 198.18.151.97 198.18.151.102 NETMASK 255.255.255.248IP NAT INSIDE SOURCE LIST 1 POOL CCNA OVERLOADIP CLASSLESS!!ACCESS-LIST 1 PERMIT 192.168.91.64 0.0.0.63LAST TWO STEPS IS DONE TO CHECK AND MAKE SURE LIFE IS GOOD;
CISCO CCNA NAT CONFIGURATION
STEP 5) MAKE SURE YOUR ROUTER HAS A DEFAULT ROUTE TO ISP.R1#CONFIG TENTER CONFIGURATION COMMANDS, ONE PER LINE. END WITH CNTL/Z.R1(CONFIG)#R1(CONFIG)#IP ROUTE 0.0.0.0 0.0.0.0 ?A.B.C.D FORWARDING ROUTER’S ADDRESSETHERNET IEEE 802.3FASTETHERNET FASTETHERNET IEEE 802.3GIGABITETHERNET GIGABITETHERNET IEEE 802.3ZLOOPBACK LOOPBACK INTERFACENULL NULL INTERFACESERIAL SERIALR1(CONFIG)#IP ROUTE 0.0.0.0 0.0.0.0 192.0.1.110
CISCO CCNA NAT CONFIGURATIONSTEP 6) MAKE SURE ISP KNOWS YOUR NETWORK; SO ISP WILL NEED A STATIC ROUTE BACK TOYOUR NETWORKISP#ISP#CONFIG TENTER CONFIGURATION COMMANDS, ONE PER LINE. END WITH CNTL/Z.ISP(CONFIG)#IP ROUTE ?A.B.C.D DESTINATION PREFIXISP(CONFIG)#IP ROUTE 198.18.151.96 ?A.B.C.D DESTINATION PREFIX MASKISP(CONFIG)#IP ROUTE 198.18.151.96 255.255.255.248 ?A.B.C.D FORWARDING ROUTER’S ADDRESSETHERNET IEEE 802.3FASTETHERNET FASTETHERNET IEEE 802.3GIGABITETHERNET GIGABITETHERNET IEEE 802.3ZLOOPBACK LOOPBACK INTERFACENULL NULL INTERFACESERIAL SERIALISP(CONFIG)#IP ROUTE 198.18.151.96 255.255.255.248 S0/0ISP(CONFIG)#
CISCO CCNA NAT CONFIGURATIONAS WE SEE FOR ISP MAKE SURE YOU USE THE PUBLIC ADDRESS NOT PRIVATE; SNICE ISP DOES NOT KNOW YOUR PRIVATE IP ADDRESS NOW I GO AND CHECK THE PING FROM PC TO INTERNET; THEN I GO TO R1#SHOW IP NAT TRANSLATION!PC>PC>PING 192.0.1.110 PINGING 192.0.1.110 WITH 32 BYTES OF DATA: REPLY FROM 192.0.1.110: BYTES=32 TIME=13MS TTL=254REPLY FROM 192.0.1.110: BYTES=32 TIME=15MS TTL=254REPLY FROM 192.0.1.110: BYTES=32 TIME=11MS TTL=254REPLY FROM 192.0.1.110: BYTES=32 TIME=12MS TTL=254 PING STATISTICS FOR 192.0.1.110:PACKETS: SENT = 4, RECEIVED = 4, LOST = 0 (0% LOSS),APPROXIMATE ROUND TRIP TIMES IN MILLI-SECONDS:MINIMUM = 11MS, MAXIMUM = 15MS, AVERAGE = 12MS
CISCO CCNA NAT CONFIGURATION
R1#SHOW IP NAT TRANSLATIONSPRO INSIDE GLOBAL INSIDE LOCAL OUTSIDE LOCAL OUTSIDE GLOBALICMP 198.18.151.97:10 192.168.91.65:10 192.0.1.110:10 192.0.1.110:10ICMP 198.18.151.97:11 192.168.91.65:11 192.0.1.110:11 192.0.1.110:11ICMP 198.18.151.97:12 192.168.91.65:12 192.0.1.110:12 192.0.1.110:12ICMP 198.18.151.97:9 192.168.91.65:9 192.0.1.110:9 192.0.1.110:9
CISCO CCNA NAT CONFIGURATIONHERE IS THE SUMMARY:INTERFACE FASTETHERNET0/0IP ADDRESS 192.168.91.126 255.255.255.192 IP NAT INSIDEDUPLEX AUTOSPEED AUTO !INTERFACE SERIAL0/0IP ADDRESS 192.0.1.109 255.255.255.252IP NAT OUTSIDECLOCK RATE 64000!IP NAT POOL CCNA 198.18.151.97 198.18.151.102 NETMASK 255.255.255.248IP NAT INSIDE SOURCE LIST 1 POOL CCNA OVERLOADIP CLASSLESSIP ROUTE 0.0.0.0 0.0.0.0 192.0.1.110!!ACCESS-LIST 1 PERMIT 192.168.91.64 0.0.0.63!
CISCO CCNA NAT CONFIGURATION
HINT: IF ISP HAS GIVEN YOU SINGLE IP ADDRESS THEN YOU DO NOT NEED THE POOL STATEMENT ( THE 1ST STATEMENT) ; AND ALSO YOUR 2ND STATMENT WILL BE LIKE THIS IP NAT INSIDE SOURCE LIST 1 INT S0/0 OVERLOAD NOW IF I ADD ANOTHER LAN (10.10.10.0/24) USING MY INT F0/1MAKE SURE YOU HAVE DEFINE ACL FOR NETWORK 10.10.10.0 /24 TO GO OUT ANDMAKE SURE YOUR APPLY TO INT F0/1 WITH COMMAND IP NAT INSIDE INTERFACE FASTETHERNET0/0IP ADDRESS 192.168.91.126 255.255.255.192 IP NAT INSIDE DUPLEX AUTOSPEED AUTO!
CISCO CCNA NAT CONFIGURATION
INTERFACE FASTETHERNET0/1IP ADDRESS 10.10.10.100 255.255.255.0 IP NAT INSIDE ( PLEASE ADD THIS)DUPLEX AUTOSPEED AUTO!INTERFACE SERIAL0/0IP ADDRESS 192.0.1.109 255.255.255.252 IP NAT OUTSIDECLOCK RATE 64000!
CISCO CCNA NAT CONFIGURATION
IP NAT POOL CCNA 198.18.151.97 198.18.151.102 NETMASK 255.255.255.248IP NAT INSIDE SOURCE LIST 1 POOL CCNA OVERLOADIP CLASSLESSIP ROUTE 0.0.0.0 0.0.0.0 192.0.1.110!!ACCESS-LIST 1 PERMIT 192.168.91.64 0.0.0.63ACCESS-LIST 1 PERMIT 10.10.10.0 0.0.0.255 (PLEASE ADD THIS LINE)!
ASM EDUCATIONAL CENTER INC. (ASM)WHERE TRAINING, TECHNOLOGY & SERVICE CONVERGE
TO WATCH OUR CISCO CCNA VIDEO TRAININGS PLEASE CHECK OUT THE LINK BELOW:WWW.ASMED.COM/C1
PHONE: (301) 984-7400ROCKVILLE,MD